Virginia Consumer Data Protection Act (VCDPA)
The Virginia Consumer Data Protection Act (VCDPA) is a comprehensive state privacy law that provides Virginia residents with rights over their personal data and establishes clear requirements for organizations that collect or process that data.
What is the Virginia Consumer Data Protection Act (VCDPA)?
The Virginia Consumer Data Protection Act (VCDPA) is a statewide privacy law that regulates how businesses collect, process, and share personal data belonging to Virginia residents.
VCDPA grants consumers rights such as access, correction, deletion, data portability, and the ability to opt out of targeted advertising, data sales, and certain types of profiling.
The VCDPA applies to businesses that meet specific processing or revenue thresholds and requires organizations to maintain transparent privacy notices and implement reasonable security controls.
It also mandates privacy impact assessments for high-risk processing activities and requires stronger protections for sensitive data.
Why the Virginia Consumer Data Protection Act matters
The VCDPA was one of the first US state privacy laws to introduce GDPR-like rights and obligations, setting a precedent for modern privacy governance in the United States.
Complying with VCDPA helps organizations build trust, reduce regulatory exposure, and standardize privacy operations across an expanding patchwork of state laws.
The VCDPA also strengthens consumer confidence by ensuring organizations handle personal data responsibly, securely, and transparently.
How the Virginia Consumer Data Protection Act (VCDPA) Is applied in practice
- Updating privacy notices to include VCDPA-required disclosures
- Establishing workflows for access, deletion, correction, and portability requests
- Providing opt-out mechanisms for targeted advertising or data sales
- Classifying and protecting sensitive data according to legal requirements
- Conducting data protection assessments for high-risk processing
- Reviewing vendor relationships for proper data handling obligations
Related laws & standards
- General Data Protection Regulation (GDPR)
- Virginia Consumer Data Protection Act (VCDPA)
- California Privacy Rights Act (CPRA)
- India DPDPA
- Digital Operational Resilience Act (DORA)
- SOC 2
How OneTrust helps with the Virginia Consumer Data Protection Act
OneTrust helps organizations comply with the VCDPA by centralizing consumer rights workflows, automating data mapping, managing sensitive data classifications, and documenting high-risk processing assessments. The platform enables teams to maintain unified privacy operations across multiple state laws and demonstrate accountability to regulators.
[Explore Solutions →]
FAQs about the Virginia Consumer Data Protection Act
The Virginia Consumer Data Protection Act has stricter definitions for sensitive data, requires data protection assessments, and uses opt-in consent for sensitive data processing, while CCPA includes additional requirements like data minimization and expanded consumer rights.
Businesses that target Virginia residents and meet specific data processing or revenue thresholds defined by the law.
Yes. Organizations must conduct data protection assessments for activities such as targeted advertising, profiling, the sale of data, and processing sensitive data.
